At InterMediation Nigeria Foundation, we prioritize the security and confidentiality of personal data we collect from beneficiaries, donors, partners, and staff. To safeguard this information, we implement strict data storage practices that comply with relevant laws and best practices for privacy protection. This document outlines how we store, manage, and protect personal data.

  1. Types of Data We Store

We may store the following types of personal data:

  • Personal Identification Information: Names, contact information (phone numbers, email addresses, postal addresses), identification numbers.
  • Health Information: Medical history, diagnosis, treatment plans, and health-related data for Vesico-Vaginal Fistula (VVF) survivors.
  • Program Data: Information on participation in skills acquisition programs, progress, and outcomes.
  • Financial Data: Donation details, donor information, payment history, and billing addresses.
  • Communications: Emails, inquiries, and correspondence with beneficiaries, donors, and partners.
  • Media and Testimonials: Photographs, videos, and testimonials (only with consent).
  1. Data Storage Methods

We employ both physical and digital storage methods to manage personal data:

Physical Storage

  • Paper Records: Some documents, such as consent forms, medical records, and beneficiary applications, may be stored in physical form. These records are securely kept in locked filing cabinets in access-controlled areas.
  • Access Control: Only authorized personnel, such as healthcare professionals or program managers, have access to physical records. Physical files are safeguarded in secure, limited-access areas within our offices.

Digital Storage

  • Cloud Storage: We store most of our data electronically using secure, encrypted cloud-based systems. The cloud service provider is chosen based on its adherence to international data protection standards and compliance with relevant data protection laws.
  • Local Servers: For highly sensitive data, such as medical information, we may use secure, encrypted local servers. These servers are protected with firewalls, multi-factor authentication, and other security protocols.
  • Encrypted Devices: Data stored on computers, laptops, or other digital devices is encrypted and password-protected. Regular audits and updates to security software are conducted to prevent unauthorized access.
  1. Data Security Measures

We take the following steps to ensure the security and protection of stored data:

  • Encryption: All sensitive data, including health records and financial information, is encrypted both at rest and in transit. This ensures that even if data is intercepted or compromised, it cannot be accessed without proper decryption keys.
  • Access Control: Access to both physical and digital data is restricted based on role and necessity. Only authorized staff with specific job functions (e.g., healthcare professionals, IT personnel) have access to certain types of data. Access is granted on a need-to-know basis.
  • Password Protection: All systems used to store personal data require strong, regularly updated passwords. We also implement multi-factor authentication for added security.
  • Regular Audits: We conduct regular security audits to assess potential vulnerabilities in our data storage systems and make necessary updates to comply with the latest security standards.
  • Data Backup: Regular backups are performed for all critical data to ensure data recovery in case of a system failure, cyber-attack, or other disaster. Backups are stored securely offsite and are subject to the same encryption standards as primary data.
  1. Data Retention and Disposal

We store personal data only for as long as it is necessary for the purpose for which it was collected. Once data is no longer needed, we ensure its secure disposal.

  • Retention Periods: We define retention periods based on legal, regulatory, and operational requirements. For example, medical data might be retained for a specific period to comply with healthcare laws, while donor data may be kept for financial reporting purposes.
  • Secure Disposal: When personal data is no longer required, it is securely deleted or destroyed. Physical records are shredded, while digital files are securely erased using industry-standard deletion methods to ensure that they cannot be recovered.
  1. Data Sharing and Transmission

When we need to share personal data (e.g., with healthcare providers or donors), we take the following precautions to ensure its security:

  • Encryption in Transit: All data transmitted between our systems and external parties is encrypted to prevent unauthorized access. This applies to email, cloud storage, and third-party platforms.
  • Secure File Sharing: When sharing sensitive files, we use secure file-sharing platforms with password protection and encryption. Access is granted only to authorized recipients.
  • Third-Party Data Handling: Any third-party service providers (e.g., cloud storage providers, partners) we work with must comply with our strict data protection standards and legal requirements.
  1. Data Breach Response

In the event of a data breach, we have a clear protocol in place:

  • Immediate Action: Upon detecting a data breach, we will immediately assess the scope and severity of the breach.
  • Notification: We will notify affected individuals, relevant authorities, and regulatory bodies within the legally mandated timeframes.
  • Remediation: We will take immediate steps to secure our systems, investigate the breach, and implement corrective actions to prevent future incidents.

This data storage policy ensures that we handle personal information with the highest level of security and respect for privacy.